Canopy allows you to organise your data into a hierarchical model. At
the top is the Company (or Client). Within a company we store
opportunities, scopes, projects, phases, findings, assets reports and
everything else relating to our assessments.

Companies: Companies (or clients) is a top-level
container where we store all of our projects, opportunities, findings,
reports and so on relating to a single company.

Opportunities: The pre-sale phase of service
delivery is very important. It’s where we capture the necessary scope
and information for delivering our projects, defining the commercial
agreements and confirming with our clients what is to be done (e.g.
statement of work). Canopy’s Opportunity module allows us to manage
this phase of the delivery workflow.

Statements of work [TODO]: A statement of work (SoW)
is a document sent to a client to confirm to them the key details of a
testing. This might include the technical scope, delivery dates and
financial information.

Projects: Canopy organises its main delivery work
into projects and phases. Here we explain the key concepts and why
there we take this hierarchical approach.

Phases: Phases in Canopy are used to store the
findings, assets, examples (evidence) and other data collected during
the delivery. It provides a container for managing this information,
which can then be used for reports.

Getting work done

Once you have our structure set up to organise your teams for delivery,
it’s time to get work done. Fundamentally Canopy structures its data
around…

Todo

Complete/rewrite above sentence.

Logging in: A short guide to logging in to Canopy.
Most people should be familiar with such processes, but we think it’s
good to cover the basics (and some of the other authentication
options).

Findings: Findings (or vulnerabilities in some
companies) are a cornerstone of Canopy. Many of the types of projects
delivered by teams that use Canopy centre around findings and the
relationship of these findings to assets (be they servers, source
code, physical buildings, etc.).

Assets: Assets are another key cornerstone of
Canopy. Assets are used to bind Findings to Examples (evidence).
Conceptually, if a finding is found, it will relate to a give asset
(be that source code, a building, etc.).

Examples: Examples are additional data points used
to show how a finding was identified. This can take the form of
repeatable steps, screenshots, code or tool output and so on.

Methodologies [TODO]: Methodologies help to ensure work is
delivered consistency across similar projects.

Reports [TODO]: The typical end delivery from a project is
a report (or many reports). Learn more about how to generate reports
for delivering to your clients.

Other concepts [TODO]: Canopy provides a number of other
(optional) features to help improve your delivery and structure your
information for reporting and analysis.

Reusing content with templates

A major benefit of Canopy is that it allows you to reuse content, where
you believe its appropriate. You can have stock finding write ups
through the Findings Knowledge Base. Base report templates and statement of work templates for getting a head start with writing
documents. And more. This allows users of Canopy to reduce time spent
rewriting the same content, and also to ensure consistency, where
needed.

Findings Knowledge Base: The findings knowledge base (KB) acts as a
repository for reusable write-ups for findings. The main point of
reusable content is to ensure consistency, but only where it’s
required. The existence of a KB shouldn’t mean clients receive generic
content, but it does allow users to have a starting point for
tailoring content, and to use common information where it makes sense.

Report templates [TODO]: Reports templates are used for
building the end-user reports you want to send to your clients. These
are built using a simple form builder inside of Canopy, and then
mapped to Word documents. More information can be found in the
Report templates section.

Statement of work templates [TODO]: Much like template reports, the
statement of work (SoW) template is used to produce custom, company
branded SoWs or proposals for issuing to your clients. The process is
the same, although the data these document templates access is
different.

Methodology templates: Methodologies are commonly
used to establish best practices within service delivery
organisations. The methodology template section is used to define such
methodologies, which can then be used in for delivery as required.

Message templates: Message templates are used to
build standard messages for user and client notification. Do you have
a standard set of emails you send out before, during and after tests?
This feature allows you to build those templates in Canopy.

Taxonomy templates [TODO]: Taxonomy templates provide a way
of linking findings to external (e.g. CWE) and internal/client (e.g.
client-specific secure development requirements) reference material,
in a way that can then be included in reports or analytics.

Scoping questionnaires [TODO]: In order to scope projects,
its typical to use questionnaires to capture mandatory and
nice-to-have information for preparing for delivery. Reusable
questionnaires help with consistency in this approach.

Other tasks

Working with Jira: How to work with Jira from
Canopy to help share information between testers and development/ops
teams.